From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 9CWeIqyjxV4FQwAA0tVLHw (envelope-from ) for ; Wed, 20 May 2020 21:39:56 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id +Hv6HayjxV7cWQAAbx9fmQ (envelope-from ) for ; Wed, 20 May 2020 21:39:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 16F8294042C for ; Wed, 20 May 2020 21:39:56 +0000 (UTC) Received: from localhost ([::1]:53714 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWRP-0004Ze-25 for larch@yhetil.org; Wed, 20 May 2020 17:39:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50080) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWQY-0004DK-V3 for guix-patches@gnu.org; Wed, 20 May 2020 17:39:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42973) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jbWQY-00018B-M3 for guix-patches@gnu.org; Wed, 20 May 2020 17:39:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jbWQY-0005nk-Ju for guix-patches@gnu.org; Wed, 20 May 2020 17:39:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 0/5] Have 'guix pull' protect against downgrade attacks Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.159001069622226 (code B ref -1); Wed, 20 May 2020 21:39:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 May 2020 21:38:16 +0000 Received: from localhost ([127.0.0.1]:54516 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPo-0005mQ-J1 for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:16 -0400 Received: from lists.gnu.org ([209.51.188.17]:50122) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWPn-0005mJ-4T for submit@debbugs.gnu.org; Wed, 20 May 2020 17:38:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49986) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWPm-0003SJ-Tw for guix-patches@gnu.org; Wed, 20 May 2020 17:38:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59142) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWPm-00014T-L5; Wed, 20 May 2020 17:38:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56646 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWPl-0006fi-Mt; Wed, 20 May 2020 17:38:13 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:38:02 +0200 Message-Id: <20200520213802.2170-1-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: zQfa3Gyck0Jr Hello! This patch series aims to protect against “downgrade attacks”, whereby a “guix pull” command would in fact deploy an older or an unrelated revision of Guix, potentially leading you to install vulnerable or malicious software. By default ‘guix pull’ would now error out if the target commit of a channel is not a descendant of the currently-used commit, according to the commit graph. There’s an option to bypass that. ‘guix time-machine’ behavior is unchanged though: it never complains. This is generally useful and it’s a requirement for authenticated checkouts as discussed in , otherwise one could easily escape the intended authentication scheme by branching and providing a different ‘.guix-authorizations’ file. Feedback welcome! Ludo’. Ludovic Courtès (5): git: Add 'commit-relation'. channels: 'latest-channel-instances' doesn't leak internal state. git: 'update-cached-checkout' returns the commit relation. channels: 'latest-channel-instances' guards against non-forward updates. pull: Protect against downgrade attacks. doc/guix.texi | 15 ++++ guix/channels.scm | 156 ++++++++++++++++++++++++++++++------------ guix/git.scm | 37 ++++++++-- guix/import/opam.scm | 2 +- guix/scripts/pull.scm | 35 +++++++++- tests/channels.scm | 47 +++++++++++-- tests/git.scm | 42 +++++++++++- 7 files changed, 276 insertions(+), 58 deletions(-) -- 2.26.2